ChurchInfo GroupMemberList.php GroupID Variable SQL Injection

2005-08-01T08:17:46
ID OSVDB:18414
Type osvdb
Reporter thegreatone2176(thegreatone2176@yahoo.com)
Modified 2005-08-01T08:17:46

Description

Vulnerability Description

ChurchInfo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the GroupMemberList.php script not properly sanitizing user-supplied input to the 'GroupID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Upgrade to version 1.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

ChurchInfo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the GroupMemberList.php script not properly sanitizing user-supplied input to the 'GroupID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.churchdb.org/ Secunia Advisory ID:16292 Related OSVDB ID: 18410 Related OSVDB ID: 18422 Related OSVDB ID: 18424 Related OSVDB ID: 18408 Related OSVDB ID: 18409 Related OSVDB ID: 18412 Related OSVDB ID: 18417 Related OSVDB ID: 18418 Related OSVDB ID: 18419 Related OSVDB ID: 18421 Related OSVDB ID: 18425 Related OSVDB ID: 18428 Related OSVDB ID: 18429 Related OSVDB ID: 18411 Related OSVDB ID: 18413 Related OSVDB ID: 18420 Related OSVDB ID: 18423 Related OSVDB ID: 18415 Related OSVDB ID: 18416 Related OSVDB ID: 18426 Related OSVDB ID: 18427 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0007.html CVE-2005-2473